Krebs on Securityhttps://krebsonsecurity.com
In-depth security news and investigationTue, 18 Dec 2018 21:23:10 +0000en-UShourly1https://wordpress.org/?v=4.9.9A Chief Security Concern for Executive Teamshttps://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/
https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/#respondTue, 18 Dec 2018 21:23:10 +0000https://krebsonsecurity.com/?p=45873Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks. Even among top tech firms, less than half list a chief technology officer (CTO). This post explores some reasons why this is the case, and why it can’t change fast enough.

KrebsOnSecurity reviewed the Web sites for the global top 100 companies by market value, and found just five percent of top 100 firms listed a chief information security officer (CISO) or chief security officer (CSO). Only a little more than a third even listed a CTO in their executive leadership pages.

The reality among high-tech firms that make up the top 50 companies in the NASDAQ market was even more striking: Fewer than half listed a CTO in their executive ranks, and I could find only three that featured a person with a security title.

Nobody’s saying these companies don’t have CISOs and/or CSOs and CTOs in their employ. A review of these companies via LinkedIn suggests that most of them in fact do have people in those roles (although I suspect the few that aren’t present or easily findable on LinkedIn have made a personal and/or professional decision not to be listed as such).

But it is interesting to note which roles companies consider worthwhile publishing in their executive leadership pages. For example, 73 percent of the top 100 companies listed a chief of human resources (or “chief people officer”), and about one-third included a chief marketing officer.

Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all three roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.

Julie Conroy, research director at the market analyst firm Aite Group, said she initially hypothesized that companies with a regulatory mandate for strong cybersecurity controls (e.g. banks) would have this role in their executive leadership team.

“But a quick look at Bank of America and Chase’s websites proved me wrong,” Conroy said. “It looks like the CISO in those firms is one layer down, reporting to the executive leadership.”

Conroy says this dynamic reflects the fact that revenue centers like human capital and the ability to drum up new business are still prioritized and valued by businesses more than cost centers — including loss prevention and cybersecurity.

“Marketing and digital strategy roles drive top line revenue for firms—the latter is particularly important in retail and banking businesses as so much commerce moves online,” Conroy said. “While you and I know that cybersecurity and loss prevention are critical functions for all types of businesses, I don’t think that reality is reflected in the organizational structure of many businesses still. A common theme in my discussions with executives in cost center roles is how difficult it is for them to get budget to fund the tech they need for loss prevention initiatives.”

EXHIBIT A: EQUIFAX

Common or not, the dominant reporting structure in corporations runs the risk of having security concerns take a backseat when they get in the way of productivity, and often leaves the security team without someone to advocate for the proper budget.

Take the mega breach at Equifax last year that exposed the personal and financial data on 148 million people. Much blame has been placed on lax software patching practices at Equifax, but the cause of the intrusion was ultimately a people and organizational structure issue, argues Lance Spitzner, director of security awarness at the SANS Institute.

“When you bring up the Equifax breach, most people respond that it was a patching issue, the bad guys exploited a Struts vulnerability that Equifax knew about and should have patched,” Spitzner wrote in a breakdown of a damning report released last week by lawmakers on the House Oversight committee.

But why wasn’t it patched? And why did it take them two months to identify the breach? Spitzner says the House report shows the ultimate reason was because the CSO Susan Mauldin did not report to the CIO, but was buried underneath the Chief Legal Officer. IT was siloed from security; the two rarely communicated or coordinated, leaving gaping holes in the organization.

The reason for this organizational divide? Spitzner notes:

“Ten years prior, the CSO reported to the CIO, however they had strong personality conflicts. Since the two could not work together, the CSO was moved under legal. However, when Equifax’s new CIO David Webb and new CSO Susan Mauldin came on board, this split was never resolved. (Full details of this strategic failure start on page 55 of the report. I feel this is one of the most critical findings.) As a result, the CSO is now the CISO and that individual reports directly to the CEO at Equifax today.”

EXECUTIVE SILOS

Workforce experts say the main reason many firms don’t list their security leaders within their top executives is that these people typically do not report directly to the company’s board of directors or CEO. More commonly, the CSO or CISO reports to the CTO, or to the chief information officer.

“You need to make sure that your heads of security are on equal footing with the heads of tech, otherwise there is an inherent conflict at play,” said Anthony Belfiore, chief security officer for insurance company Aon PLC, in a Wall Street Journal story this month about the rising prominence of security leaders at major companies.

Source: Accenture.

Alissa Valentina Knight, senior analyst and colleague of Conroy’s at the Aite Group, said we’re in the middle of a changing of tides — where the CISO function once seen as a technology problem is now moving to a boardroom problem and bringing about a gradual shift in reporting structure.

“Historically, you’d see the CISO reporting to the CTO and despite the company having a CISO, that individual wasn’t listed on the company’s web site, [and] while they had an officer title, they weren’t given that privilege,” Knight said.

But she added that many companies — despite having a CISO — will not list them on their web site’s leadership team page, even when that reporting structure changes from the CTO to the CEO or Board of Directors.

“Some companies are even moving the cybersecurity function to report up through the CFO,” Knight said.

According to a survey released this summer by Accenture, two-thirds of companies said their chief executive and board of directors now have direct oversight of cybersecurity. The survey also found CIOs also had less control over cybersecurity budgets in 2018, 35 percent in 2017 to 29 percent this year, the survey found.

Companies can minimize conflict between the CSO/CISO and other top executives by having their security leader(s) report to the head of operations, or to the company’s general counsel, Belfiore told The Journal. For example, those that have CISOs reporting to CIOs can mix in reporting lines to legal, risk or the CEO office to offset potential conflicts.

*Calculated based on number of top 100 companies with available leadership data (see these Top 100 and Top 50 spreadsheets).

]]>https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-executive-teams/feed/0Spammed Bomb Threat Hoax Demands Bitcoinhttps://krebsonsecurity.com/2018/12/spammed-bomb-threat-hoax-demands-bitcoin/
https://krebsonsecurity.com/2018/12/spammed-bomb-threat-hoax-demands-bitcoin/#commentsThu, 13 Dec 2018 20:24:32 +0000https://krebsonsecurity.com/?p=46017A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day.

Sources at multiple U.S. based financial institutions reported receiving the threats, which included the subject line, “I advise you not to call the police.”

The email reads:

My man carried a bomb (Hexogen) into the building where your company is located. It is constructed under my direction. It can be hidden anywhere because of its small size, it is not able to damage the supporting building structure, but in the case of its detonation you will get many victims.

My mercenary keeps the building under the control. If he notices any unusual behavior or emergency he will blow up the bomb.

I can withdraw my mercenary if you pay. You pay me 20.000 $ in Bitcoin and the bomb will not explode, but don’t try to cheat -I warrant you that I will withdraw my mercenary only after 3 confirmations in blockchain network.

Here is my Bitcoin address : 1GHKDgQX7hqTM7mMmiiUvgihGMHtvNJqTv

You have to solve problems with the transfer by the end of the workday. If you are late with the money explosive will explode.

This is just a business, if you don’t send me the money and the explosive device detonates, other commercial enterprises will transfer me more money, because this isnt a one-time action.

I wont visit this email. I check my Bitcoin wallet every 35 min and after seeing the money I will order my recruited person to get away.

If the explosive device explodes and the authorities notice this letter:
We are not terrorists and dont assume any responsibility for explosions in other buildings.

The bitcoin address included in the email was different in each message forwarded to KrebsOnSecurity. In that respect, this scam is reminiscent of the various email sextortion campaigns that went viral earlier this year, which led with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid.

I could see this spam campaign being extremely disruptive in the short run. There is little doubt that some businesses receiving this extortion email will treat it as a credible threat. This is exactly what happened today at one of the banks that forwarded me their copy of this email. Also, KrebsOnSecurity has received reports that numerous school districts across the country have closed schools early today in response to this hoax email threat.

“There are several serious legal problems with this — people will be calling the police, and they cannot ignore even a known hoax,” said Jason McNew, CEO and founder of Stronghold Cyber Security, a consultancy based in Gettysburg, Pa.

This is a developing story, and may be updated throughout the day.

Update: 4:46 p.m. ET: Added bit about school closings.

]]>https://krebsonsecurity.com/2018/12/spammed-bomb-threat-hoax-demands-bitcoin/feed/81Scanning for Flaws, Scoring for Securityhttps://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/
https://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/#commentsWed, 12 Dec 2018 19:25:14 +0000https://krebsonsecurity.com/?p=45980Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late.

Image: US Chamber of Commerce.

For years, potential creditors have judged the relative risk of extending credit to consumers based in part on the applicant’s credit score — the most widely used being the score developed by FICO, previously known as Fair Isaac Corporation. Earlier this year, FICO began touting its Cyber Risk Score (PDF), which seeks to measure an organization’s chances of experiencing a data breach in the next 12 months, based on a variety of measurements tied to the company’s public-facing online assets.

In October, FICO teamed up with the U.S. Chamber of Commerce to evaluate more than 2,500 U.S. companies with the Cyber Risk Score, and then invited these companies to sign up and see how their score compares with that of other organizations in their industry. The stated use cases for the Cyber Risk Score include the potential for cyber insurance pricing and underwriting, and evaluating supply chain risk (i.e., the security posture of vendor partners).

The company-specific scores are supposed to be made available only to vetted people at the organization who go through FICO’s signup process. But in a marketing email sent to FICO members on Tuesday advertising its new benchmarking feature, FICO accidentally exposed the FICO Cyber Risk Score of energy giant ExxonMobil.

The marketing email was quickly recalled and reissued in a redacted version, but it seems ExxonMobil’s score of 587 puts it in the “elevated” risk category and somewhat below the mean score among large companies in the Energy and Utilities sector, which was 637. The October analysis by the Chamber and FICO gives U.S. businesses an overall score of 687 on a scale of 300-850.

Data accidentally released by FICO about the Cyber Risk Score for ExxonMobil.

How useful is such a score? Mike Lloyd, chief technology officer at RedSeal, was quoted as saying a score “taken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street.”

“You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside,” Lloyd told Dark Reading regarding the Chamber/FICO announcement in October.

Naturally, combining external scans with internal vulnerability probes and penetration testing engagements can provide organizations with a much more holistic picture of their security posture. But when a major company makes public, repeated and prolonged external security foibles, it’s difficult to escape the conclusion that perhaps it isn’t looking too closely at its internal security either.

ENTIRELY, CERTIFIABLY PREVENTABLE

Too bad the errant FICO marketing email didn’t expose the current cyber risk score of big-three consumer credit bureau Equifax, which was relieved of personal and financial data on 148 million Americans last year after the company failed to patch one of its Web servers and then failed to detect an intrusion into its systems for months.

A 96-page report (PDF) released this week by a House oversight committee found the Equifax breach was “entirely preventable.” For 76 days beginning mid May 2017, the intruders made more than 9,000 queries on 48 Equifax databases.

According to the report, the attackers were able to move the data off of Equifax’s network undetected thanks to an expired security certificate. Specifically, “while Equifax had installed a tool to inspect network traffic for evidence of malicious activity, the expired certificate prevented that tool from performing its intended function of detecting malicious traffic.”

Expired certificates aren’t particularly rare or noteworthy, but when they persist in publicly-facing Web servers for days or weeks on end, it raises the question: Is anyone at the affected organization paying attention at all to security?

Given how damaging it was for Equifax to have an expired certificate, you might think the company would have done everything in its power to ensure this wouldn’t happen again. But it would happen again — on at least two occasions earlier this year.

In April 2018, KrebsOnSecurity pointed out that the Web site Equifax makes available for consumers who wish to freeze their credit files was using an expired certificate, causing the site to throw up a dire red warning page that almost certainly scared countless consumers away from securing their credit files.

It took Equifax two weeks to fix that expired cert. A week later, I found another expired certificate on the credit freeze Web portal for the National Consumer Telecommunications and Utilities Exchange — a consumer credit bureau operated by Equifax.

ARE YOU EXPERIANSED?

One has to wonder what the median FICO Cyber Risk Score is for the credit bureau industry, because whatever Equifax’s score is it can’t be too different from that of its top competitor — Experian, which is no stranger to data breaches.

On Tuesday, security researcher @notdan tweeted about finding a series of open directories on Experian’s Web site. Open directories, in which files and folders on a Web server are listed publicly and clickable down to the last file, aren’t terribly uncommon to find exposed on smaller Web sites, but they’re not the sort of oversight you’d expect to see at a company with the size and sensitivity of Experian.

A directory listing that exposed a number of files on an Experian server.

Included in one of the exposed directories on the Experian server were dozens of files that appeared to be digital artifacts left behind by a popular Web vulnerability scanner Burp Suite. It’s unclear whether those files were the result of scans run by someone within the company, or if they were the product of an unauthorized security probe by would-be intruders that somehow got indexed by Experian’s servers (the latter possibility being far more concerning).

Experian did not respond to requests for comment, and the company disabled public access to the directories shortly after other researchers on Twitter began piling on to @notdan’s findings with their own discoveries.

Evidence of data left behind by a Burp Suite Web vulnerability scan run against an Experian server.

As I noted in last week’s story on the 4-year-long breach at Marriott that exposed personal and financial data on some 500 million guests, companies that have their heads screwed on correctly from an information security standpoint are run by leaders who are expecting the organization will get breached constantly through vulnerabilities, phishing and malware attacks.

They’re continuously testing their own internal networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). They are finding creative ways to cut down on the volume of sensitive data that they need to store and protect. And they are segmenting their networks like watertight compartments in a ship, so that a breach in one part of the organization’s digital hull can’t spread to the rest of the vessel and sink the whole ship (it’s worth noting the House oversight report observed that the lack of network segmentation was a major contributor to the Equifax breach).

But companies with advanced “security maturity” also are regularly taking a hard look at what their outward-facing security posture says to the rest of the world, fully cognizant that appearances matter — particularly to ne’er-do-wells who tend to view public security weaknesses like broken windows, and as an invitation to mischief.

]]>https://krebsonsecurity.com/2018/12/scanning-for-flaws-scoring-for-security/feed/49Patch Tuesday, December 2018 Editionhttps://krebsonsecurity.com/2018/12/patch-tuesday-december-2018-edition/
https://krebsonsecurity.com/2018/12/patch-tuesday-december-2018-edition/#commentsTue, 11 Dec 2018 21:05:41 +0000https://krebsonsecurity.com/?p=45907Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft’s December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.

At least nine of the bugs in the Microsoft patches address flaws the company deems “critical,” meaning they can be exploited by malware or ne’er-do-wells to install malicious software with little or no help from users, save for perhaps browsing to a hacked or booby-trapped site.

Microsoft patched a zero-day flaw that is already being exploited (CVE-2018-8611) and allows an attacker to elevate his privileges on a host system. The weakness, which is present on all supported versions of Windows, is tagged with the less severe “important” rating by Microsoft mainly because it requires an attacker to be logged on to the system first.

According to security firm Rapid7, other notable vulnerabilities this month are in Internet Explorer (CVE-2018-8631) and Edge (CVE-2018-8624), both of which Microsoft considers most likely to be exploited. Similarly, CVE-2018-8628 is flaw in all supported versions of PowerPoint which is also likely to be used by attackers.

It generally can’t hurt for Windows users to wait a day or two after Microsoft releases monthly security updates before installing the fixes; occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Also, it’s a good idea to get in the habit of backing up your data before installing Windows updates.

Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

For its part, Adobe’s got new versions of Adobe Reader and Adobe Acrobat that plug dozens of security holes in the programs. Also, last week Adobe issued an emergency patch to fix a zero-day flaw in Flash Player that bad guys are now using in active attacks.

Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it.

Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020.

As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

]]>https://krebsonsecurity.com/2018/12/patch-tuesday-december-2018-edition/feed/21How Internet Savvy are Your Leaders?https://krebsonsecurity.com/2018/12/how-internet-savvy-are-your-leaders/
https://krebsonsecurity.com/2018/12/how-internet-savvy-are-your-leaders/#commentsMon, 10 Dec 2018 20:40:05 +0000https://krebsonsecurity.com/?p=45931Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of. But it wasn’t until the past week that it become clear how many organizations — including towns, cities and political campaigns — actually have fallen for this brazen scam.

Image: Better Business Bureau.

The letter I tweeted about was from a company called Web Listings Inc., and it said I should pay a $85 charge for an “annual web site search engine” service.

The first clue that this was probably a scam was the letter said halfway down in capital letters “THIS IS NOT A BILL,” although it sure was made to look like one. Also, the domain it referenced was “fuckbriankrebs.com,” which was indeed registered using my street address but certainly not by me.

The sad truth is plenty of organizations *are* paying the people behind this charade, which is probably why Web Listings has been running it continuously for more than a decade. Most likely that’s because some percentage of recipients confuse this notice with a warning about a domain name they own that is about to expire and needs to be renewed.

We know plenty of people are getting snookered thanks to searchable online records filed by a range of political campaigns, towns, cities and municipalities — all of which are required to publicly report how they spend their money (or at least that of their constituents).

According to a statement filed with the Federal Election Commission, one of the earliest public records involving a payment to Web Listings dates back to 2008 and comes from none other than the the 2008 Hillary Clinton for President fund.

The documents unearthed in this story all came compliments of Ron Guilmette, a most dogged and intrepid researcher who usually spends his time tracking down and suing spammers. Guilmette said most of the public references he found regarding payments to Web Services Inc. are from political campaigns and small towns.

“Which naturally raises the question: Should we really be trusting these people with our money?” Guilmette said. “What kind of people or organizations are most likely to pay a bill that is utterly phony baloney, and that actually isn’t due and payable? The answer is people and organizations that are not spending their own money.”

Also paying $85 (PDF) to Web Listings was the 2015 campaign for Democrat Jim Kenney, the current mayor of Philadelphia.

Also in 2013, the Committee to Elect Judge Victor Heutsche (D) paid $85 to keep his Web site in good standing with Web Listings. Paul T. Davis, a former Democratic state representative from Kansas handed $85 (PDF) to Web Listings in 2012.

Image: Better Business Bureau.

Lest anyone think that somehow Democratic candidates for office are more susceptible to these types of schemes, a review of the publicly-searchable campaign payments to Web Listings Inc. uncovered by Guilmette shows a majority of them were for Web sites supporting Republican candidates.

The fundraising committee for Republican Dick Black‘s 2012 campaign for the Virginia Senate also paid Web Listings Inc. $85. The campaign to elect Ben Chafin as a Republican delegate in Virginia in 2013 also paid out.

Those in charge of the purse strings for the “Friends of GOP New York State Senator Tom Croci” fund paid $65 in 2011 to keep his political Web site full of search engine goodness.

Paying $85 each to Web Listings in 2012 were the judicial campaigns for Louisiana GOP Judge John Slattery, and Lynn Donald Stewart, who successfully got re-elected to the Nevada state assembly that year.

Perhaps the most reliable customers of Web Listings’ dubious services have been cities, towns and municipalities across the United States. Somehow, the people in charge of the purse strings for Simpson County, Kentucky paid $85 notices from Web Listings Inc. three years in a row (2016, 2017 and 2018).

A review of the complaints about Web Listings Inc. left over the past few years at the Better Business Bureau suggests that many recipients of this scam are confusing the mailer with a late payment notice from their domain registrar. As such, it’s likely this phony company has scammed a ridiculous number of consumers over the years, Guilmette observed.

“I’m sure they’ve conned a zillion other people who were spending their own money,” he said. “These are only the ones for which public records are available online.”

Stay tuned for Part Two of this story, which will look at some clues about who may be responsible for this long-running racket.

]]>https://krebsonsecurity.com/2018/12/how-internet-savvy-are-your-leaders/feed/63Bomb Threat Hoaxer, DDos Boss Gets 3 Yearshttps://krebsonsecurity.com/2018/12/bomb-threat-hoaxer-ddos-boss-gets-3-years/
https://krebsonsecurity.com/2018/12/bomb-threat-hoaxer-ddos-boss-gets-3-years/#commentsSat, 08 Dec 2018 01:38:49 +0000https://krebsonsecurity.com/?p=45917The ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions — has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials.

George Duke-Cohan, 19, caused a massive uproar earlier this year after communicating a series of bomb threats against 1,700 schools, colleges and universities across the United Kingdom. But shortly after being arrested on suspicion of the threats and released, Duke-Cohan was back at it again — this time expanding his threats to include schools in the United States.

One of many tweets from the attention-starved Apophis Squad, which launched multiple DDoS attacks against KrebsOnsecurity over the past few months.

At the same time, authorities in the U.K. and U.S. discovered that Duke-Cohan was responsible for falsely reporting the hijack of a plane bound for the United States. That flight, which had almost 300 passengers on board, was later quarantined in San Francisco pending a full security check.

Duke-Cohan was part of an attention-seeking group of ne’er-do-wells who called themselves the Apophis Squad. Duke-Cohan and his crew modeled themselves after the actions of the Lizard Squad, another group of e-fame seeking online hoodlums who also ran a DDoS-for-hire service, called in bomb threats to airlines, DDoSed this Web site repeatedly and whose members were nearly all subsequently arrested and charged with various cybercrimes.

Indeed, until recently the Apophis Squad’s Web site and DDoS-for-hire service was hosted on the same Internet server used by a handful of other domains that were tied to the Lizard Squad.

Earlier this year, KrebsOnSecurity.com came under sustained attack from the Apophis Squad, who took to Twitter to taunt this author while the attacks were underway. Duke-Cohan and other Apophis Squad members also attacked the free email service Protonmail, even as all of them continued to use their Protonmail accounts to communicate about the attacks.

KrebsOnSecurity assisted Protonmail in its investigation into the attacks, and the company later credited this author with helping to identify Duke-Cohan as the driving force behind the DDoS attacks.

Sources close to the investigation say Duke-Cohan may yet see additional charges from U.S.-based authorities. Also, several other members identified by this author as alleged co-conspirators along with Duke-Cohan have not yet been charged with a crime either in the U.K. or in the United States.

It’s not always fun when your site isn’t responsive because of determined attacks from groups like the Apophis Squad, but I try not to get too bent out of shape when these attacks do occur — mainly for two reasons: Firstly, those responsible typically end up getting busted and going to jail. Also, I usually get at least one good story out of it. In this case, make that two good stories.

A video of the the U.K. National Crime Agency (NCA) questioning and detaining Duke-Cohan.

]]>https://krebsonsecurity.com/2018/12/bomb-threat-hoaxer-ddos-boss-gets-3-years/feed/42A Breach, or Just a Forced Password Reset?https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/
https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/#commentsTue, 04 Dec 2018 21:45:51 +0000https://krebsonsecurity.com/?p=45880Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case. Here’s a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.

The notice sent to ShareFile users looked like this:

Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didn’t understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.

I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.

A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).

More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using its most robust form of multi-factor authentication (single sign-on solutions, or SSOs). To wit:

“This is not in response to a breach of Citrix products or services,” wrote spokesperson Jamie Buranich. “Citrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attacker’s additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.”

The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended by the National Institute of Standards and Technology (NIST), which warns:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.”

“But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”

In short, NIST says it makes sense to force an across-the-board password reset following a breach — either of a specific user’s account or the entire password database. But doing so at regular intervals absent such evidence of compromise is likely to result in less complex and secure passwords.

Ideally, ShareFile users who received a password reset notice may be able to avoid the next round of password resets by adopting one of the two-step authentication options mentioned above. And I hope it goes without saying, but please don’t re-use a password you used anywhere else.

However, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Incidentally, there are several companies — such as auth0 and Okta — that make it easy to integrate with breached password databases like Troy Hunt’s HaveIBeenPwned.com to help proactively prevent users from picking passwords they have used at other sites (or at least at other sites that have been breached publicly).

Whether online merchants are willing to adopt such preemptive approaches is another matter, said Julie Conroy, research director with the Aite Group, a market analyst firm.

“With the reality that such a vast swath of username/password combinations have been compromised, this creates the potential for a ton of inline friction, something that is an anathema to merchants, and which banks work hard to stay away from as well,” Conroy said.

Update: 4:53 p.m. ET: Citrix just published its own blog post about this here.

]]>https://krebsonsecurity.com/2018/12/a-breach-or-just-a-forced-password-reset/feed/45Jared, Kay Jewelers Parent Fixes Data Leakhttps://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/
https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/#commentsMon, 03 Dec 2018 17:25:58 +0000https://krebsonsecurity.com/?p=45499The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers.

In mid-November 2018, KrebsOnSecurity heard from a Jared customer who found something curious after receiving a receipt via email for a pair of earrings he’d just purchased as a surprise gift for his girlfriend.

Dallas-based Web developer Brandon Sheehy discovered that slightly modifying the link in the confirmation email he received and pasting that into a Web browser revealed another customer’s order, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.

Sheehy said after discovering the weakness, his mind quickly turned to the various ways that crooks might exploit it.

“My first thought was they could track a package of jewelry to someone’s door and swipe it off their doorstep,” he said. “My second thought was that someone could call Jared’s customers and pretend to be Jared, reading the last four digits of the customer’s card and saying there’d been a problem with the order, and if they could get a different card for the customer they could run it right away and get the order out quickly. That would be a pretty convincing scam. Or just targeted phishing attacks.”

Concerned that his own information was similarly exposed, Sheehy contacted Jared parent company Signet Jewelers and asked them to fix the data exposure. When several weeks passed and Sheehy could still view his information and that of other Jared customers, he reached out to KrebsOnSecurity.

Scott Lancaster, chief information security officer at Signet, said the company did fix the problem for all future orders shortly after receiving a customer’s complaint. But Lancaster said Signet neglected to remedy the data exposure for all past orders until contacted by KrebsOnSecurity.

“When a customer first brought this matter to our attention in early November, we fixed it for all new orders going forward,” Lancaster said. “But we didn’t notice at the time that this applied to all past orders as well as future orders.”

Lancaster said the problem affected only orders made online through jared.com and kay.com, and that the weakness was not present on the sites of the company’s other jewelry brands, such as Zales and Piercing Pagoda.

Data exposures like these are some of the most common yet preventable for online retailers. In July, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

Sheehy said he’s glad Signet has fully fixed the bug, but said he was annoyed that it seems like many companies fail to address or even acknowledge such failures unless and until they’re confronted by the news media.

“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”

Dec. 11, 10:37 a.m.: Corrected Sheehy’s title.

]]>https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/feed/38What the Marriott Breach Says About Securityhttps://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/
https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/#commentsSat, 01 Dec 2018 21:16:13 +0000https://krebsonsecurity.com/?p=45825We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

TO COMPANIES

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.

TO INDIVIDUALS

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.

Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.

This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised.

By the way, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Assuming compromise means placing very little trust or confidence in anything that comes to you via email. In the context of this Marriott/Starwood breach, for example, consider all the data points that attackers may now have to make a phishing or malware attack more likely to be successful: Your Starwood account number, your address, phone number, email address, passport number, dates and times of your reservations, and credit card information.

How hard would it be for someone to craft an email that warns of a problem with a recent reservation or with your Starwood account, urging you to click a booby trapped link or attachment to learn more? Now imagine that such targeted emails can come from any brand with whom you’ve done business (for a refresher, see Reality #2 above).

TOUGH TRADE-OFFS

If the advice above sounds inconvenient, unfair and expensive for all involved, congratulations: You are well on your way to internalizing Realities #1 and #2. For better or worse, being a savvy consumer means constantly having to make difficult trade-offs between security, privacy, and convenience.

Oh, and you generally only get to pick two out of three of these qualities. Same goes for the trio of high-speed, high-quality, and low-cost. Or good, fast, and cheap. Again, pick two. You get the idea.

Unfortunately, these transactions become even more lopsided and difficult to weigh when one party to them always selects the same trade-off (e.g., fast, low-cost, and convenient). Right now, it sure seems like there aren’t a lot of consequences when huge companies that ought to know better screw up massively on security, leaving consumers and their paying customers to clean up the mess.

I don’t know how many more big-time privacy and security debacles we need to convince our nation’s leaders that perhaps we should enshrine in law some basic standards of care for how companies handle and secure consumer data, and what rights and expectations consumers should have when companies fail to meet those standards. Because it’s clear that unless and until this happens, some subset of businesses out there will continue to make the most expedient and short-sighted trade-offs available to them, regardless of the impact to their customers and the public at large.

On this point, as with many others related to Internet security and privacy, I found it hard to argue with the opinion of my home state Senator Mark Warner (D-Va.), who observed:

“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

]]>https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/feed/82Marriott: Data on 500 Million Guests Stolen in 4-Year Breachhttps://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/#commentsFri, 30 Nov 2018 13:47:51 +0000https://krebsonsecurity.com/?p=45814Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.

Marriott said the breach involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sept. 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Marriott said the intruders encrypted information from the hacked database (likely to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network), and that its efforts to decrypt that data set was not yet complete. But so far the hotel network believes that the encrypted data cache includes information on up to approximately 500 million guests who made a reservation at a Starwood property.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.

Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.

Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.

However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data. In Dec. 2016, KrebsOnSecurity broke the news that banks were detecting a pattern of fraudulent transactions on credit cards that had one thing in common: They’d all been used during a short window of time at InterContinental Hotels Group (IHG) properties, including Holiday Inns and other popular chains across the United States.

It took IHG more than a month to confirm that finding, but the company said in a statement at the time it believed the intrusion was limited to malware installed at point of sale systems at restaurants and bars of 12 IHG-managed properties between August and December 2016.

In April 2017, IHG acknowledged that its investigation showed cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data — including those used at front desks in certain IHG properties.

Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorized access to the separate Starwood network.

Marriott is offering affected guests in the United States, Canada and the United Kingdom a free year’s worth of service from WebWatcher, one of several companies that advertise the ability to monitor the cybercrime underground for signs that the customer’s personal information is being traded or sold.